{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-09-24T04:06:52.928068Z",
     "iopub.status.busy": "2020-09-24T04:06:52.927779Z",
     "iopub.status.idle": "2020-09-24T04:06:52.934766Z",
     "shell.execute_reply": "2020-09-24T04:06:52.934058Z",
     "shell.execute_reply.started": "2020-09-24T04:06:52.928046Z"
    }
   },
   "source": [
    "# Detect Dump LSASS.exe Memory using comsvcs\n",
    "\n",
    "#### This search detects the memory of lsass.exe being dumped for offline credential theft attack.\n",
    "\n",
    "References: https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\n",
    "\n",
    "Author: Jose Hernandez, Splunk\n",
    "\n",
    "Known false positives: None identified.\n",
    "\n",
    "Tags: Credential Dumping, T1003.003, Actions on Objectives, CIS 8, CIS 16\n",
    "\n",
    "Source: https://github.com/splunk/security-content/blob/develop/detections/dump_lsass_via_comsvcs_dll.yml"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-10-19T19:49:47.098495Z",
     "iopub.status.busy": "2020-10-19T19:49:47.098215Z",
     "iopub.status.idle": "2020-10-19T19:49:50.310310Z",
     "shell.execute_reply": "2020-10-19T19:49:50.309793Z",
     "shell.execute_reply.started": "2020-10-19T19:49:47.098471Z"
    }
   },
   "outputs": [
    {
     "data": {
      "application/vnd.jupyter.widget-view+json": {
       "model_id": "bb8622490e2143d2b9414eadac5441af",
       "version_major": 2,
       "version_minor": 0
      },
      "text/plain": [
       "HBox(children=(HTML(value=''), FloatProgress(value=0.0, max=5.0), HTML(value='')))"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      " Finished.                     "
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>process</th>\n",
       "      <th>machine</th>\n",
       "      <th>process_name</th>\n",
       "      <th>input_event</th>\n",
       "      <th>tenant</th>\n",
       "      <th>timestamp</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>\"c:\\windows\\system32\\rundll32.exe\" c:\\windows\\...</td>\n",
       "      <td>eyJlbnRpdHlUeXBlIjoiREVWSUNFIiwicHJpbWFyeUFydG...</td>\n",
       "      <td>rundll32.exe</td>\n",
       "      <td>{'_tenant': 'test', '_time': '1600731080000', ...</td>\n",
       "      <td>test</td>\n",
       "      <td>2020-09-21 23:31:20</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>"
      ],
      "text/plain": [
       "                                             process  ...           timestamp\n",
       "0  \"c:\\windows\\system32\\rundll32.exe\" c:\\windows\\...  ... 2020-09-21 23:31:20\n",
       "\n",
       "[1 rows x 6 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    },
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "\n"
     ]
    },
    {
     "data": {
      "text/plain": [
       "<spl2_kernel.spl2_runner.SPL2Job at 0x7f3b8896e750>"
      ]
     },
     "execution_count": 1,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "| from read_text(\"s3://smle-experiments/datasets/attack-range/T1003.001/windows-security-events_ssa.log\")\n",
    "| select from_json_object(value) as input_event\n",
    "| eval tenant=ucast(map_get(input_event, \"_tenant\"), \"string\", null),\n",
    "machine=ucast(map_get(input_event, \"dest_ip_id\"), \"string\", null),\n",
    "process_name=lower(ucast(map_get(input_event, \"process_name\"), \"string\", null)),\n",
    "timestamp=parse_long(ucast(map_get(input_event, \"_time\"), \"string\", null)),\n",
    "process=lower(ucast(map_get(input_event, \"process\"), \"string\", null))\n",
    "| where process_name LIKE \"%rundll32.exe%\"\n",
    "AND match_regex(process, /(?i)comsvcs.dll[,\\s]+MiniDump/)=true;"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {
    "execution": {
     "iopub.execute_input": "2020-09-24T04:07:41.132723Z",
     "iopub.status.busy": "2020-09-24T04:07:41.132299Z",
     "iopub.status.idle": "2020-09-24T04:07:41.142005Z",
     "shell.execute_reply": "2020-09-24T04:07:41.141000Z",
     "shell.execute_reply.started": "2020-09-24T04:07:41.132683Z"
    }
   },
   "source": [
    "# Dataset \n",
    "This data set way generated via launching [atomic red team](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/) technique ID: T1003.01 and results were captured by the [Splunk Attack Range](https://github.com/splunk/attack_range).\n",
    "This detection specifically address [atomic](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll)\n",
    "Source: https://github.com/splunk/attack_data/blob/master/datasets/T1003.001/dataset.yml"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "SPL2",
   "language": "SPL",
   "name": "spl2"
  },
  "language_info": {
   "mimetype": "text/spl",
   "name": "SPL"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
